There is a new info-stealing malware that appears as a cheat on a game called Cheat Lab, and it promises downloaders that if they convince their friends to download it too, they will receive a free copy. It is possible to harvest sensitive information from infected computers by using Redline malware, including passwords, cookies, autofill information, and cryptocurrency wallet information, which is one of the most powerful information-stealing malware programs.
As a result of the malware's popularity among cybercriminals and its widespread distribution channels, it has become widespread.
According to McAfee threat researchers, the new malware leverages Lua bytecode to evade detection. This makes it possible to inject malicious code into legitimate processes for stealth, while also benefiting from Just-In-Time compilations (JIT).
Using a command and control server associated with the malware, the researchers link this variant to Redline, which has been linked to the malware for a long time.
The tests BleepingComputer conducted revealed that the malware does not exhibit the typical behaviour associated with Redline, such as stealing browser information, saving passwords, and stealing cookies.
Through a URL linked to Microsoft's 'vcpkg' GitHub repository, the malicious Redline payloads resemble demonstrations of cheating tools named "Cheat Lab" and "Cheater Pro". When the malware is executed, it unpacks two files, compiler.exe and lua51.dll, once the MSI installer is installed.
The malicious Lua bytecode is also dropped in a file called 'readme.txt'.
The campaign uses an interesting lure to spread the malware even further by telling victims that if they convince their friends to install the cheating program, they will receive a free, fully licensed copy of the cheating program. As an added layer of legitimacy, the malware payload is distributed in the form of an uncompiled bytecode rather than an executable to avoid detection.
To make sure that the malware is not detected, it comes in the form of an activation key included.
Upon installation of the compiler.exe program, Lua bytecode is compiled and executed by it, and it also creates scheduled tasks that execute during system startup when the program is installed. The same executable also sets up persistence by creating scheduled tasks.
McAfee reports that a fallback mechanism is used by the malware to persist the three files, copying them to a long random path under the program directory that the malware is active on the infected system, it will communicate with a C2 server and send screenshots and system information to the server, then wait for commands to be executed by the server on the host system.
Even though it is unknown exactly how information thieves first infect computers, they are typically spread through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites that can lead to infection.
The Redline virus is a highly dangerous one, which is why users are urged not to use unsigned executables or download files from unreliable websites.
As a result of this atta seemingly trustworthy programs, such as those found on Microsoft's GitHub, are at risk of infection by the Even though BleepingComputer contacted Microsoft about the executables that were distributed via its GitHub URLs, the company had not respond to the publication date.